AT&T faces $224 million sue over cryptocurrency hack by SIM swapping

Precedent means a lot in the legal world, and with large segments of cryptocurrency still unexplored, there might be a few keeping an eye on AT&T’s progress in this interesting case.

In a filing made to the US District Court in Los Angeles, cryptocurrency investor Michael Terpin is suing AT&T for $224 million following the theft of $23.8 million in cryptocurrency tokens. While AT&T did nothing directly associated with the theft, Terpin is holding the telco accountable for SIM swap fraud.

“Somebody needed to sue AT&T for fraud & gross negligence in letting criminals SIM swap. I just did,” Terpin said on Twitter.

SIM swap fraud allows nefarious individuals to trick service providers into transferring a subscriber’s phone number to a SIM card which is in that persons possession. Once the fraudster has access to the SIM, the new device can be used to reset passwords and access online accounts. With some services still reliant on phone-based authentication, it can be a very effective way to drain accounts or move assets.

The practise involves a lot of research, as security questions asked on the phone can defeat this scheme, though considering the questions are usually quite obvious it isn’t fool proof. With so much of our lives online, enough Googling on an individual would certainly build a profile. In this case, as the founder of BitAngels Terpin would have been interviewed numerous times and had countless articles written about him. The profile could have been bulked out further.

Once this profile has been built, the fraudster would call the service provider claiming a lost phone and asking the account be transferred to a new SIM in that persons possession. Assuming the security questions could be answered, the fraudster would then effectively have free reign over the victims virtual identity.

In this case the end result was the loss of cryptocurrency tokens. Alongside recovering the $23.8 million, Terpin is also seeking $200 million in punitive damages. The complaint details AT&T had been previously contacted about such instances of fraud, and since not enough has been done to prevent fraud, it should be held accountable.

The dangers of online identities have been well-publicised, but as there have been few major, real-world examples of the dangers, many ignore the risks. In truth, we do not know how dangerous it can be to freely publicise such vast quantities of personal information online for anyone to see. This is just one example, but as fraudsters probe for weaknesses, we suspect such stories will become more common.

The issue here is about negligence and indirect contribution to the scheme. This is the position AT&T finds itself in. For the telco world, it could be viewed as critical for AT&T to win this case and set precedent.

As this is one of the first mainstream cases, judges in the future will use this as an example to make rulings in the future. If AT&T finds itself on the losing side, telcos throughout the US may find themselves much more exposed to the nefarious activities in the dark corners of the internet.

The internet offers wonderful opportunities for many around the world, but every now and then it is worth being reminded there are dangers in the un-explored regions of the web.